iPhones will pretty much trust any computer they're plugged into.

Plugging your phone into a charger should be pretty safe to do. It should fill your phone with electricity, not malware. But researchers from Georgia Institute of Technology have produced fake chargers they've named Mactans that do more than just charge your phone: they install custom, malicious applications onto iPhones.

Their bogus chargers—which do, incidentally, charge the phone—contain small computers instead of mere transformers. The iPhone treats these computers just as it does any other computer, but instead of just charging, it responds to USB commands. It turns out that the iPhone is very trusting of USB-attached computers; as long as the iPhone is unlocked (if only for a split second) while attached to a USB host, then the host has considerable control over the iPhone.

The researchers used their USB host to install an app package onto any iPhone that gets plugged in. iOS guards against installation of arbitrary applications with a strict sandboxing system, a feature that has led to the widespread practice of jailbreaking. This attack doesn't need to jailbreak, however.

Instead, it takes advantage of the system that Apple devised to permit developers to deploy applications to their own devices for testing purposes. Deploying such applications requires the creation of a provisioning profile. A provisioning profile identifies a specific phone and a specific application, allowing the named application to run on the named device. These provisioning profiles are generated by Apple and installed over USB.

The malicious charger interrogates the attached iPhone to read its UDID, the unique ID number that identifies a particular iPhone. It then sends the UDID to Apple's Web page that generates provisioning profiles. With the provisioning profile in hand, it can deploy the provisioning profile to the phone, and then deploy the malicious app identified by the provisioning profile.

Though the malicious app is still sandboxed, it doesn't have to pass through Apple's normal application vetting process, and so it can still do plenty of useful malicious things. The demonstration showed a malicious Facebook app that replaced the real Facebook app with a trojaned version. The trojaned version could then do things like take screenshots of the iPhone whenever passwords are being entered, and simulate key presses to, for example, dial numbers without user intervention.

There are limits to this kind of attack. As well as requiring the phone's screen to be unlocked, the generation of the provisioning profile requires the attacker to have a valid developer account. Each developer account can only generate provisioning profiles for 100 different phones, and there's no facility to remove a UDID that's associated with a developer's account.

This will tend to limit the attacks to specific ones against individual users, rather than widespread, indiscriminate attacking. In principle, a Mactans charger could be made to look identical to an official Apple charger; a suitably motivated attacker could replace proper chargers with the malicious chargers to attack targets' phones.

Apple has responded to this research by making the iPhone a little less trusting. Instead of trusting any USB host that it's connected to, iOS 7 will prompt users the first time, asking if they want to trust the currently connected computer. This notification will immediately disclose that a charger isn't a charger at all, but in fact a Mactans-like device.

iOS 7 devices are a little bit more suspicious than their iOS 6 brethren.

The good news it that it might take a while before wall chargers are able to connect to the Internet.

That said, I'm a little skeptical about the warning message because users are too trusting. If it doesn't look like a computer but the phone thinks it's a computer, then they might just say "yes, trust it" thinking it's a bug and not realizing the device has the potential to modify the phone (after all, you wouldn't expect a wall charger to be able to do that).

If, for instance, you had to manually input a sequence of digits shown on the phone from the computer (and the computer would then "authenticate" to the phone with this sequence, at least on the first connection), there would be no way for a fake charger to circumvent that, except with extreme luck.

(But all in all, this kind of attack would be pretty hard to pull off in an effective way, so maybe the dialog is enough.)

I am trying to make sense of this article. Does it say that researchers discovered a way to side-load applications to their iPhones (that still requires the use of a developer account), but without using a mac to do it?

I think this would be a bit too much trouble for a typical hacker to go through just to install some malware on an iOS device.

I see these cellular recharging stations all over at events such as concerts and sporting events and whatnot. You have no idea what is inside of these kiosks. They could all have these tiny computer boards behind the plastic. It's even conveniently coded.... lightning or 30 pin for iphones, microUSB for android phones. Super simple.

I think you'd have a hard time squeezing a BeagleBoard (or anything similar) into a charger that still works and looks like a charger. These things are tiny and they're basically as tiny as they can be.

Of course you could still put this behind an USB charging outlet elsewhere.

It really sounds like this is 'load an app, subject to the usual sandboxing restrictions', without going through the app store.

But, the usual sandboxing doesn't allow taking screenshots of other apps, nor creating fake input. Have they actually gotten out of the sandbox, or have these researchers not really understood the limitations the sandbox places on installed apps, or is this Ars speculating wildly and incorrectly?

I am trying to make sense of this article. Does it say that researchers discovered a way to side-load applications to their iPhones (that still requires the use of a developer account), but without using a mac to do it?

Theoretically you've always been able to. With a dev account, you can do ad-hoc distribution where a user can click a link on the Internet to install an app. HockeyApp has exploited this to become a really good beta distribution platform. I'm sure it's not a giant stretch to be able to do this by faking out what iTunes does while syncing as there are fairly mature and complete implementations of the iPhone USB spec

I really wish it would trust a damn USB drive plugged into it. My iPad refuses to recognize my USB drive because it uses too much power. My ass. If they can allow iOS to trust any PC it's plugged into then why can't I use a damn USB drive to transfer pictures and video and why must I use an SD card and only that to do so. So, so, so, so stupid that a USB drive isn't allowed to transfer media and a stupid card reader can.

It's Apple's way of making clear that this is for transferring photos from a camera and nothing else. There's some logic to that, support USB drives and people will need/expect to be able to select a directory to import photos from or to copy other data over.

I think this would be a bit too much trouble for a typical hacker to go through just to install some malware on an iOS device.

As a mass attack, yes. But at a high level conference of some sort, such as the DNC/RNC, one could simply put out charging docks and rack up a lot of priority targets - a more literal watering hole attack. You wouldn't need to hit the officials themselves, either - pretty much every high ranking person in the world has at least one person that knows their entire professional itinerary and follows them almost everywhere. Compromise their phone and you know a whole lot about the real target, and can potentially use the infected phone to compromise the target's phone as well.

It really sounds like this is 'load an app, subject to the usual sandboxing restrictions', without going through the app store.

But, the usual sandboxing doesn't allow taking screenshots of other apps, nor creating fake input. Have they actually gotten out of the sandbox, or have these researchers not really understood the limitations the sandbox places on installed apps, or is this Ars speculating wildly and incorrectly?

This is true. iOS apps can NEVER break sandbox. Even if you write a bunch of private Apple API calls you can't exit the sandbox. For this app to be malicious, an individual needs to execute it then approve any access like location or push.

The better use of this would be to just try to suck any data you can get down while plugged in. It's a bit more difficult as iOS 7 adds even more security to pass coded data, but the masses don't use a pass code so you could get some Oauth tokens I'm sure for various services.

I think you'd have a hard time squeezing a BeagleBoard (or anything similar) into a charger that still works and looks like a charger. These things are tiny and they're basically as tiny as they can be.

Of course you could still put this behind an USB charging outlet elsewhere.

Yeah that is why MP3 players are so huge and heavy still, still on par with a phonograph.

There are entire android based computers no bigger than a generation ago flash drive cases.All it takes is someone with the money who wants it made.

I think this would be a bit too much trouble for a typical hacker to go through just to install some malware on an iOS device.

For a carpet-bombing approach, I would agree.

But a hack like this is more suited to a highly targeted and specific attack. Bluff your way into a corporate HQ's executive suite while the prez is at lunch and swap out his charger. Entirely plausible.

But, the usual sandboxing doesn't allow taking screenshots of other apps, nor creating fake input. Have they actually gotten out of the sandbox, or have these researchers not really understood the limitations the sandbox places on installed apps, or is this Ars speculating wildly and incorrectly?

Using private APIs you can record the screen on iOS. There's even an open source project. No jailbreak needed (although you do need a developer account... just like this attack). Mind you, using such APIs will get your app instantly kicked from the App Store, but there have been apps able to obfuscate it enough to slip through detection for a while (at least in the past).

I'm not aware of any private APIs to fake user input, although there might be something usable if you can emulate Instruments.

I think you'd have a hard time squeezing a BeagleBoard (or anything similar) into a charger that still works and looks like a charger. These things are tiny and they're basically as tiny as they can be.

Of course you could still put this behind an USB charging outlet elsewhere.

Yeah that is why MP3 players are so huge and heavy still, still on par with a phonograph.

There are entire android based computers no bigger than a generation ago flash drive cases.All it takes is someone with the money who wants it made.

There's a reason that you use Beagleboards for proof of concept (cheaper, actual connectors and headers that you don't need nano-elves to connect to); but Gumstix will sell you boards pretty much identical to the Beagleboard in spec crammed into 17x58mm...

The good news it that it might take a while before wall chargers are able to connect to the Internet.

Disagree. Wallchargers could easily connect to the internet. There are currently wired adapters that utilize the electrical circuitry to transmit/receive packets---available at WalMart no less. I think it would take only a few hours to take the Mactan 'charging' device and build into it this functionality.

I think you'd have a hard time squeezing a BeagleBoard (or anything similar) into a charger that still works and looks like a charger. These things are tiny and they're basically as tiny as they can be.

Of course you could still put this behind an USB charging outlet elsewhere.

Yeah that is why MP3 players are so huge and heavy still, still on par with a phonograph.

There are entire android based computers no bigger than a generation ago flash drive cases.All it takes is someone with the money who wants it made.

There's a reason that you use Beagleboards for proof of concept (cheaper, actual connectors and headers that you don't need nano-elves to connect to); but Gumstix will sell you boards pretty much identical to the Beagleboard in spec crammed into 17x58mm...

Unless you are going to use an emulator, you need a reasonably beefy SBC to developed code. But you can put the binary on a very small SBC.

You have to laugh at the Feds for going gaga over the iphone. Then again, somebody else pays for their screw ups.

Even with the consent screen I can see this easily being abused in the workplace or other social situations where someone might leave a phone laying about. Unless you have to enter the lock code before "trusting" the charging device you simply need to plug it in quickly, do its thing, and remove it. A "charger" could be the size of a USB drive with a wifi antenna.

Even with the consent screen I can see this easily being abused in the workplace or other social situations where someone might leave a phone laying about. Unless you have to enter the lock code before "trusting" the charging device you simply need to plug it in quickly, do its thing, and remove it. A "charger" could be the size of a USB drive with a wifi antenna.

The good news it that it might take a while before wall chargers are able to connect to the Internet.

Disagree. Wallchargers could easily connect to the internet. There are currently wired adapters that utilize the electrical circuitry to transmit/receive packets---available at WalMart no less. I think it would take only a few hours to take the Mactan 'charging' device and build into it this functionality.

You then need to also control the electric infrastructure of the building you want to carry your deed on. This is a cool gadget, but quite frankly at that rate might just use a WiFi dongle. It's gonna be a fifth of the size of the adapter.

Which brings us to the other thing: you need this adapter in a reasonable size to avoid suspicion.